Cross site scripting

2023-12-1422:15:00

PRIOn knowledge base

www.prio-n.com

keycloak

flaw

xss

wildcard

redirects

attack

incomplete fix

cve-2020-10748

5.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.2%

JSON

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

CPENameOperatorVersion
keycloaklt22.0.7
openshift_container_platformeq4.11
openshift_container_platformeq4.12
openshift_container_platform_for_powereq4.9
openshift_container_platform_for_powereq4.10
openshift_container_platform_ibm_z_systemseq4.9
openshift_container_platform_ibm_z_systemseq4.10
single_sign-onlt7.6

Name	Operator	Version
keycloak	lt	22.0.7
openshift_container_platform	eq	4.11
openshift_container_platform	eq	4.12
openshift_container_platform_for_power	eq	4.9
openshift_container_platform_for_power	eq	4.10
openshift_container_platform_ibm_z_systems	eq	4.9
openshift_container_platform_ibm_z_systems	eq	4.10
single_sign-on	lt	7.6